[Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
Stephen.Davidson at digicert.com
Thu Sep 22 21:22:43 UTC 2022
Thank you for the information.
If I understand this correctly, the first OU example you describe (for example with the tag "SELLO ELECTRONICO") appears to be required in the certificate profiles while the others are optional. I am not sure of the status of the profiles under the regulation.
These examples go against the precedents set in the CABF, so I am hesitant to create a new carve out in version 1.0.0 of the SBR. However, I do note section 9.16.3 https://github.com/cabforum/smime/blob/preSBR/SBR.md#9163-severability which is intended to assist in circumstances like this. The draft says:
In the event of a conflict between these Requirements and a law, regulation or government order (hereinafter ‘Law’) of any jurisdiction in which a CA operates or issues Certificates, a CA MAY modify any conflicting requirement to the minimum extent necessary to make the requirement valid and legal in the jurisdiction. This applies only to operations or Certificate issuances that are subject to that Law. In such event, the CA SHALL immediately (and prior to issuing a Certificate under the modified requirement) include in Section 9.16.3 of the CA’s CPS a detailed reference to the Law requiring a modification of these Requirements under this section, and the specific modification to these Requirements implemented by the CA.
The CA SHALL also (prior to issuing a Certificate under the modified requirement) notify the CA/Browser Forum of the relevant information newly added to its CPS by sending a message to public at cabforum.org and receiving confirmation that it has been posted to the Public Mailing List and is indexed in the Public Mail Archives available at https://cabforum.org/pipermail/public/ (or such other email addresses and links as the Forum may designate), so that the CA/Browser Forum may consider possible revisions to these Requirements accordingly.
Any modification to CA practice enabled under this section SHALL be discontinued if and when the Law no longer applies, or these Requirements are modified to make it possible to comply with both them and the Law simultaneously. An appropriate change in practice, modification to the CA’s CPS and a notice to the CA/Browser Forum, as outlined above, SHALL be made within 90 days.
The validity period in the SBR will apply to all certificates in scope of the standard, namely those with an EKU for id-kp-emailProtection (OID: 184.108.40.206.220.127.116.11.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension. The periods were chosen in line with requirements and expectations of Certificate Consumers for these certs.
From: Eusebio Herrera <eusebio.herrera at camerfirma.com>
Sent: Thursday, September 15, 2022 7:53 AM
To: Stephen Davidson <Stephen.Davidson at digicert.com>; SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: RE: Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
1. OU FIELDS
The final draft version of the 'Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates' (BR S/MIME) requires that certain information be included in the subject:organizationalUnitName field.
This information is not sufficient to be included in SMIME certificates of sponsor-validated and organization-validated types issued by Spanish Qualified Trust Service Providers (QTSP) for Government Entities, which is regulated.
Spanish QTSPs are legally forced to comply with this regulation regarding certificates issued for Government Entities.
The Spanish regulation requires that these certificates must include in an OU field some specific text strings, such as:
- OU = "SELLO ELECTRONICO" (electronic seal)
- OU = "CERTIFICADO ELECTRONICO DE EMPLEADO PUBLICO" (electronic certificate for employees of the public administration)
In addition, according to the Spanish regulation, these certificates may include in OU fields some codes used by the public administrations.
Moreover, S/MIME certificates of sponsor-validated and organization-validated types issued by Spanish QTSP for non-Government Entities usually include in OU fields other specific information (i.e.: Department), that is not contemplated in the Affiliate definition in BR S/MIME. This information is used by certain applications, and also by certificate subscribers and relying parties. Therefore, the lack of this information would create serious problems in certificate usage.
The possibility of including the department in the OU fields for non-Government Entities, but in a more general way, was previously raised on the Smcwg-public mailing list by a GlobalSign representative, Christophe Bonjean. (April 25th : https://lists.cabforum.org/pipermail/smcwg-public/2022-April/000318.html and May 11th https://lists.cabforum.org/pipermail/smcwg-public/2022-May/000338.html )
All these data included in OU fields of SMIME certificates of sponsor-validated and organization-validated types issued by Spanish QTSP are verified by the RAs against supporting documentation, a Reliable Data Source, or Attestation, that is, in the same way that the subject:title shall be verified (BR S/MIME 18.104.22.168)
2. MAXIMUM VALIDITY PERIOD
The final draft version of the 'Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates' (BR S/MIME) requires a maximum validity period of 825 days for Strict and Multipurpose Generations and 1,185 days for Legacy Generations.
The Spanish Law which regulates trust services according to EU eIDAS Regulation allows qualified certificates to have a validity period up to 5 years (1824 days), including SMIME certificates of organization-validated, sponsored-validated and individual-validated types.
De: Smcwg-public <smcwg-public-bounces at cabforum.org> En nombre de Stephen Davidson via Smcwg-public
Enviado el: jueves, 8 de septiembre de 2022 9:03
Para: smcwg-public at cabforum.org
Asunto: [Smcwg-public] Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
Ballot SMC01: Final Guideline for “S/MIME Baseline Requirements”
Purpose of Ballot:
The S/MIME Certificate Working Group was chartered to discuss, adopt, and maintain policies, frameworks, and standards for the issuance and management of Publicly-Trusted S/MIME Certificates. This ballot adopts a new “S/MIME Baseline Requirements” that includes requirements for verification of control over email addresses, identity validation for natural persons and legal entities, key management and certificate lifecycle, certificate profiles for S/MIME Certificates and Issuing CA Certificates, as well as CA operational and audit practices.
An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 22.214.171.124.126.96.36.199.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension in the Certificate.
The following motion has been proposed by Stephen Davidson of DigiCert and endorsed by Martijn Katerbarg of Sectigo and Ben Wilson of Mozilla.
Charter Voting References
Section 5.1 (“Voting Structure”) of the SMCWG Charter says:
In order for a ballot to be adopted by the SMCWG, two-thirds or more of the votes cast by the Certificate Issuers must be in favor of the ballot and more than 50% of the votes cast by the Certificate Consumers must be in favor of the ballot. At least one member of each class must vote in favor of a ballot for it to be adopted. Quorum is the average number of Member organizations (cumulative, regardless of Class) that have participated in the previous three (3) SMCWG Meetings or Teleconferences (not counting subcommittee meetings thereof).
— MOTION BEGINS —
This ballot adopts the “Baseline Requirements for the Issuance and Management of Publicly-Trusted S/MIME Certificates” (“S/MIME Baseline Requirements”) as Version 1.0.0.
The proposed S/MIME Baseline Requirements may be found at https://github.com/cabforum/smime/compare/7b3ab3c55dd92052a8dc0d4f85a2ac26269c222e...28c0b904fe54f1c5f6c71d18c4786a3e02c76f52 or the attached document.
The SMCWG Chair or Vice-Chair is permitted to update the Relevant Dates and Version Number of the S/MIME Baseline Requirements to reflect final dates.
— MOTION ENDS —
This ballot proposes a Final Guideline. The procedure for approval of this ballot is as follows:
Discussion (7+ days)
Start Time: 8 September 2022 17:00 UTC
End Time: 15 September 2022 17:00 UTC
Vote for approval (7 days)
Start Time: 15 September 2022 17:00 UTC
End Time: 22 September 2022 17:00 UTC
IPR Review (60 days)
More information about the Smcwg-public